rusackas opened a new pull request, #33212: URL: https://github.com/apache/superset/pull/33212
Potential fix for [https://github.com/apache/superset/security/code-scanning/2006](https://github.com/apache/superset/security/code-scanning/2006) To fix the issue, we need to sanitize the `data-bootstrap` attribute before using it. This can be achieved by escaping special characters or validating the input to ensure it conforms to expected patterns. Additionally, we should ensure that any URLs constructed using `ensureAppRoot` are properly encoded to prevent XSS. 1. Modify the `getBootstrapData` function to sanitize the `data-bootstrap` attribute when it is read from the DOM. 2. Update the `ensureAppRoot` function to encode the constructed URL to ensure it is safe for use in navigation functions. 3. Use a utility function like `encodeURIComponent` or a library like `DOMPurify` to sanitize and encode the data. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
